• Post author:
  • Post category:Mobile / Security
  • Post comments:2 Comments
  • Reading time:27 mins read

Last Updated on August 9, 2011

Exactly One year ago (9 August 2010) Kaspersky discovered the first SMS Trojan for Android in the Wild dubbed SMS.AndroidOS.FakePlayer.a. This is considered a special date for the Google Mobile OS, since, before then, Android Malware was a litte bit more than en exercise of Style, essentially focused on Spyware. After that everything changed, and mobile malware targeting the Android OS become more and more sophisticated.

For this reason I decided to prepare a special birthday gift for the Android, that is a special compilation showing the long malware trail which characterized this day. Commenting the graph, in my opinion, probably the turning point was Android.Geinimi (end of 2010), featuring the characteristics of a primordial Botnet, but also Android.DroidDream (AKA RootCager) is worthwhile to mention because of its capability to root the phone and potentially to remotely install applications without direct user intervention. Moreover, as you will have probably noticed, the average impact is low, but, the number of malware is growing exponentially after June, this is the reason why I decided to divide my special compilation in two parts. Today is part I: from the beginning to May, the 31st 2011.

Let’s go in this mobile malware travel between botnets, sleepwalkers and biblic plagues and meanwhile do not forget to read my presentation on how to implement a secure mobile strategy.

Date Description Features Overall Risk
Aug 9 2010
SMS.AndroidOS.FakePlayer.a

First SMS Android Malware In the Wild: The malicious program penetrates Android devices in the guise of a harmless media player application. Once manually installed on the phone, the Trojan uses the system to begin sending SMSs to premium rate numbers without the owner’s knowledge or consent, resulting in money passing from a user’s account to that of the cybercriminals.

Aug 17 2010 AndroidOS_Droisnake.A

This is the first GPS Spy Malware disguised as an Android Snake game application. To the victim, Tap Snake looks like a clone of the Snake game. However, once someone installs this app on a phone, the “game” serves as a front for a spy app that proceeds to run in the background, secretly reporting GPS coordinates back to a server. The would-be spy then pays for and downloads an app called GPS Spy and enters an email address and code to gain access to the victim’s uploaded data.

Android MarketGPS Spy
Sep 14 2010 SMS.AndroidOS.FakePlayer.b

Pornography lands on Android! This malware is a variant of SMS.AndroidOS.FakePlayer.A. The malware poses as a pornographic application whose package name is pornoplayer.apk, and it installs on the phone with a pornographic icon. When the user launches the application, the malware does not show any adult content and, instead, sends 4 SMS messages to short codes, at the end-user’s expense.

Oct 13 2010
SMS.AndroidOS.FakePlayer.c

Pornography back on Android! Third variant of the malware SMS.AndroidOS.FakePlayer.A. New pornographic application, old icon. Sends 2 SMS messages to short codes, at the end-user’s expense.

Dec 29 2010
Android.Geinimi

First example of a Botnet-Like Malware on Android. “Grafted” onto repackaged versions of legitimate applications, primarily games, and distributed in third-party Chinese Android app markets. Once the malware is installed on a user’s phone, it has the potential to receive commands from a remote server that allow the owner of that server to control the phone. The specific information it collects includes location coordinates and unique identifiers for the device (IMEI) and SIM card (IMSI).

Botnet Like Features
Feb 14 2011
Android.Adrd AKA Android.HongTouTou

New Malware with Botnet-like Features from China. The trojan compromises personal data such as IMEI/IMSI of the device and sends them back to the remote side to react  based on the commands from there. Similar to Android.Geinimi but with a lower profile (less commands)

Botnet Like Features
Feb 22 2011 Android.Pjapps

New Trojan horse embedded on third party applications. It opens a back door on the compromised device and retrieves commands from a remote command and control server.

Botnet Like Features
Mar 1 2011 Android.DroidDream AKA Android.Rootcager AKA AndroidOS_Lootoor.A

The first example of a new generation of Mobile Malware: distributed through the Official Android Market, affected, according to Symantec 50,000 to 200,000 users. Expoits two different tools  (rageagainstthecage and exploid) to root the phone

Android MarketBotnet Like FeaturesRoot

Mar 9 2011 Android.BgServ AKA Troj/Bgserv-A AKA AndroidOS_BGSERV.A

Trojanized version of the Android Market Security tool released by Google, on March the 6th, to remove the effects of DroidDream. The trojan opens a back door and transmits information from the device to a remote location. It shows more than ever security and reputation flaws in the Android Market Proposition Model. 5,000 users affected.

Android MarketBotnet Like FeaturesRoot

Mar 20 2011 Android.Zeahache

Trojan horse that elevates privileges on the compromised device, discovered on a Chinese language app available for download on alternative Chinese app markets. The app has the ability to root an Android device (by mean of the exploid tool called by zHash binary), leaving the device vulnerable to future threats. The app, which provides calling plan management capabilities was found also on the Android Market albeit this version lacked the code to invoke the exploit.

Android MarketRoot

Mar 30 2011 Android.Walkinwat

Manually installed from non-official Android Markets, the Trojan modifies certain permissions on the compromised device that allow it to perform the following actions: Access contacts in the address book, ccess network information, access the phone in a read-only state, access the vibrator on the phone, Check the license server for the application, find the phone’s location, initiate a phone call without using the interface, open network sockets to access the Internet, read low-level log files, send SMS messages, turn the phone on and off. It gives a message to user  trying to discipline users that download files illegally from unauthorized sites.

May 9 2011

Android.Adsms AKA AndroidOS_Adsms.A

This malware specifically targeted China Mobile subscribers. The malware arrived through a link sent through SMS. The said message tells the China Mobile users to install a patch for their supposedly vulnerable devices by accessing the given link, which actually leads to a malicious configuration file. The malware then send message to premium numbers.

Android Market

May 11 2011

Android.Zsone AKA Android.Smstibook

Google removed a Trojan, Zsone, from the Android Market with the ability to subscribe users in China to premium rate QQ codes via SMS without their knowledge. 10,000 users affected.

Android Market

May 22 2011

Android.Spacem

A biblical plague For Android! Trojanized version of a legitimate application that is part threat, part doomsayer. The threat was embedded in a pirated version of an app called ‘Holy ***king Bible’, which itself has stirred controversy on multiple forums in which the app is in circulation. The malware targeted North American Users. After the reboot, it starts a service whichm at regular intervals, attempts to contact a host service, passing along the device’s phone number and operator code. It then attempts to retrieve a command from a remote location in intervals of 33 minutes. In addition to having abilities to respond to commands through the Internet and SMS, the threat also has activities that are designed to trigger on the 21 and 22 of May 2011, respectively (The End of The World).

Android Market

Botnet Like Features

May 31 2011

Android.LightDD

A brand new version of Android.DroidDream, dubbed DroidDreamLight, was found in 24 additional apps repackaged and redistributed with the malicious payload across a total of 5 different developers distributed in the Android Market. Between 30.000 and 120.000 users affected.

Android Market

Botnet Like Features

Legend

Parallel Market

Android MarketAndroid Market

Manual Install

Automatic Install of Apps

Send SMS or Calls to Premium Numbers

Botnet Like Features Server C&C

GPS SpyGPS Spyware

This Post Has 2 Comments

  1. Fox Uncle

    Nice summary & write up.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.